
©DefensiveOriginsLLCC0310.12–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection-PowerShellLoggingisEasy
ThePowerShellwaytoturnonauditing:
• WevtUtilgl"WindowsPowerShell"(listconfiguration)
• WevtUtilsl"WindowsPowerShell"/ms:512000000
• WevtUtilsl"WindowsPowerShell"/rt:false
• WevtUtilgl"Microsoft-Windows-PowerShell/Operational"(listconfiguration)
• WevtUtilsl"Microsoft-Windows-PowerShell/Operational"/ms:512000000
• WevtUtilsl"Microsoft-Windows-PowerShell/Operational"/rt:false
Canalsoconfigurethefollowingviacommandlineoptions.
• ModuleLogging
• ScriptBlockLogging
• ScriptExecutionPrivileges(ie:signed/bypass/enforced)